Today I was scanned my computer with HitmanPro to unsure my pc security. I was quite surprised, HitmanPro detected a trojan! :o I didn’t delete that file for further investigation. So I tried to run a “folder-scan” with my Avast IS 2014, fully updated. But unfortunately, no reaction from Avast ( Deep Screen enabled, Hardened mode aggressive)!
First virustotal is unable to run elements of avast that can be run on your system, namely DeepScreen and Hardened Mode) both of these may be able to look beyond simple signatures and a generic signature (Win32:Trojan-gen ) in the case of the VT results.
Passing DeepScreen and/or Hardened Mode (which does an avast cloud reputation check) validation could well be why there is no alert on the system.
This after all is something which is going to be modifying the HOSTS file, so may well be considered suspicious at the very least. Something that many may consider a PUP.
What you don’t say is what hitman pro detected, file name and location (if other than hostsmon.exe and what malware name was given).
Personally I wouldn’t use hitman pro, it can be very aggressive and has caused system problems in the past with deletion of important files. The short time that I tried it it only returned false positives and despite reporting them, some time later these still hadn’t been corrected.
The log file of HitmanPro is attached. The path is: C:\Windows\system32\drivers\setup\hosts\hostsmon.exe, and the name (based on GData) is Backdoor.Generic.104430.
As I mentioned, the stupid thing was, why Avast IS didn’t detected this file, which was for many days inside my computer, and why on Virustotal the same file was listed normally as trojan, by Avast itself!
On the same dir. “\drivers\setup\hosts”, there were other infected files which Avast IS was able to detected and quarantined without any problem.
Regarding Hitman Pro, I rarely use it. But IMO it’s a useful tool, in those case when the primary defense fails to do its job.
Well the hitman pro detection is no more clear than that of avast on virustotal. It, gdata is also detecting a generic signature of the Bitdefender engine (one if its two). Though I don’t know why it might detect on a standard on-demand scan on VT but not on the system.
I was thinking that this hostsmon.exe file was related to the HOSTS file monitor program (hostsman), but that may go by a different file name and possibly location. Unfortunately I don’t use hostsman, so I can’t confirm one way or another.
Are you using any form of hosts file manager on your system ?
This can get many security bases tools a bit twitchy when .exe files are located in a a sub-folder of the system32\drivers\ folder.
Ya know, if you compare the amount of signatures which were “optimized”… it doesn’t go well… The currect v9 has 2,616,512 signatures which was supposed to have removed old MS-DOS malware (useless) and catch the same amount of infections…
Looking at your image and the process 7zip, indicates that this was inside an archive file, not it depends on what you were doing in relation to a scan with avast as archives aren’t scanned by default as they are inert/dormant until extraction.
The real dir. was not inside the archive when I tested yesterday with Avast 2014.
But, the only way to test those files using another Avast, was to install VirtualBox. So, I archived that directory and sent it on virtual machine. That’s the reason why appear 7Zip.
Btw, If you want to test these files, with your own antivirus, you are welcome.
